Password Storage

As you may or may not know, I have previously had a few not so pleasant words for people's activities on Facebook (cf. this post). I'm sure most people will agree that some people post unbelievable things on Facebook. Granted some of it user error, some of it is the interesting phenomenon called "Facebook rape" or simply "frape", but most of it is intentional. This has lead to the development of two very similar sites lamebook and failbook. The content is not all about people posting inexplicable things, but that is the gist of it. These sites have provided me with many hours of entertainment.

Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.

What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.

The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.

However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.

Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)

Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat

Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.

I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.

---NOTE: I will still post something about password lockers---

Another side-note

Well, I have previously pointed out how TV tries use cryptography as a plot point and fails massively, but I found a counter-example. I have recently started watching Numb3rs, and by recently I mean I'm only on Season 1 Episode 5. Which is the exact episode I want to talk about, well not really talk about in as much as I want to mention that they pretty much got the details of how cryptography works. There was a slight lack of finesse in it, but overall the general idea was conveyed. Needless to say this made me happy. Apart from that, as far as I can tell most of the math they do/show/explain on the show is fairly accurate. Looks like I have a new TV show to watch.

*EDIT*
Season 1 Episode 6, same as above.